Thks for your quick reply, I've read the link but I'm not sure that it answer my question...

On the user's computer, we already have VSE87 and MASE87 (is this equivalent to McAfee Total Protection?) and On-Access-Scan is enabled.

Personal Security is NOT a new malware (ie not know and not in McAfee signature file) but well-know. ScriptScan is on.

So, OK there's pop-up saying false things that your's computer is infected, bla-bla and you should download XYZ program to get ride of this.

BUT as the user have VSE87 and MASE87and DAT File is up-to-date and ScriptScan on, McAfee AV shouldn't even allowed the install to start (or at least when the installation is finished, block and quarantine C:\Program Files\PersonSecurity\psecurity.exe (which mean that this program should never run at all)

They should be able to tell why the scanner is unable to detected and remove the software.

On another note, prevention is always better then remediation.A good http scanner (like the webwasher a.k.a. the McAfee Web Gateway) could prevent to popup or banner from showing up at the first place.

The only reason I could think off on demand scan (Scan32.exe) trying to elevate the privileges to scan and Mcshield (Access protection rule) denies to execute those permission. Whereas on demand scan is not is stopped and still it continues and completes the scan.

This seems to be a known issue with VSE8.7 version irrespective of patch level. Upgrading to VSE8.8 solved the issue.